RE: new intrusion detection system

["Kendzierski, Charles V." <c.kendzi () radium ncsc mil>]

Gautam,

    You bring up a good point in regards to common reporting output format
for IDSs. In the late 90s, the IETF embarked upon the development of a
Common Intrusion Detection Framework (CIDF). Standardizing of events,
alarms, and reporting was one such goal. Unfortunately, for whatever reason,
the group's efforts at a CIDF ceased momentum in early 2000. I have been
unable to find any updates on the IETF's efforts in this regard. A CIDF can
and should be supported for each IDS (NIDS, HIDS, and to a larger extent
firewalls and layer three devices) but understand an agreement on a CIDF is
primal to this capability being provided.

Chuck Kendzierski



-----Original Message-----
From: Gautam Singaraju [mailto:gautam.singaraju () gmail com]
Sent: Wednesday, October 20, 2004 4:12 PM
To: Tomas Pluskal
Cc: focus-ids () securityfocus com
Subject: Re: new intrusion detection system


Tomas,
The IDS on process monitoring seems interesting. Just wondering any
plan to generate the report based on IDMEF? The reports in the system
are generated using XML (report.xml?).
I am of an opinion that a common output format should be required for
all IDSs. This helps a lot when someone is interested in comparing
them with others.
thanks,
Gautam

On Tue, 19 Oct 2004 14:33:28 +0200 (CEST), Tomas Pluskal
<plusik () pohoda cz> wrote:
> Hello to all,
>
> I have implemented a new type of intrusion detection system for my Master
> thesis. I would like to announce this information, in case anyone would be
> interested in this research.
>
> The IDS system is designed as a kernel module for FreeBSD 5.2. It is
inspired
> by the SpamAssassin program, which detects spam by applying a set of tests
to
> every email message and counting a sum of point score generated by each
test.
> My IDS system applies a set of tests to every running process in the OS
and
> counts its score generated by the tests. Therefore, the purpose of the IDS
is
> not to monitor the network traffic, but rather to monitor the process
activity.
> The current system status is a "working prototype" - it is not ready for
> production usage, but it may serve as a good base for an interesting
> research.
>
> If you are interested in this topic, please read the details here:
> http://plusik.pohoda.cz/thesis/
>
> Thanks,
>
> Tomas
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
> --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------